Ali Polatel wrote: > > On Sun, 10 Oct 2010 11:35:02 -0700 (PDT), Roland McGrath <roland redhat com> > wrote: > > > > The report_syscall_entry hook is the only one you need to prevent the > > system call from running. If it returns UTRACE_SYSCALL_ABORT, then the > > system call will fail with the ENOSYS error code. You only need to use a > > report_syscall_exit hook if you want the registers the user process sees > > after attempting the system call to be different from that. > > Neat. Although returning just UTRACE_SYSCALL_ABORT doesn't work. It just > makes the process hang for me.
I guess, the process doesn't hang but stops in TASK_TRACED? This is because UTRACE_STOP == 0, and thus UTRACE_SYSCALL_ABORT alone actually means UTRACE_SYSCALL_ABORT | UTRACE_STOP. ->report_syscall_entry() returns 2 values or'ed, utrace_syscall_action() | utrace_resume_action(). > I had to do: > return (no == SYS_socket) > ? UTRACE_SYSCALL_ABORT | UTRACE_RESUME This is correct. > ubox_syscall_exit(u32 action, struct utrace_engine *engine, struct pt_regs > *regs) > { > enum utrace_syscall_action decision; > > decision = utrace_syscall_action(action); > switch (decision) { > case UTRACE_SYSCALL_ABORT: > syscall_set_return_value(current, regs, -EPERM, -1); > /* fall through */ > default: > return UTRACE_RESUME; > } > } > > The decision argument is never set to UTRACE_SYSCALL_ABORT for me. It's > always 0 aka UTRACE_SYSCALL_RUN. This is correct. utrace doesn't pass utrace_syscall_action() returned by ->report_syscall_entry() to ->report_syscall_exit(). You can do syscall_set_return_value(EPERM) in report_syscall_entry(). Otherwise I think your engine should remember that this syscall was nacked by report_syscall_entry(). Oleg.